Hi Mario, On Thu, May 07, 2020 at 02:25:41AM +0000, mario.limoncie...@dell.com wrote: > Hello,
> Recently there has been a discussion within upstream fwupd to start > including the UEFI dbx revocation list directly with the fwupd package. > During the code review for this as part of reviewing the terms included > with it there are concerns if this would fit within the DFSG. Would it be > possible to request a review of these terms to determine if this is > appropriate to distribute in Debian? > https://uefi.org/revocationlistfile > Furthermore, if it is not acceptable to distribute this raw data in > Debian, one of the options being considered is to programmatically > re-generate a list of invalid hashes but without the signatures in the > original file. Would that be acceptable to distribute in Debian instead? First, the license is not an end-user license and if someone chooses to agree to the license as part of downloading, this appears to only be binding on the downloader; it is not a license that must be included in the redistribution to users (as debian/copyright). Second, the following URL is accessible without affirmatively agreeing to the license. http://www.uefi.org/sites/default/files/resources/dbxupdate.zip Third, the contents of this file are a non-copyrightable list of statements of mathematical facts. Distribution of this file is not subject to copyright law. I don't think there is any issue with Debian distributing this file. FWIW Ubuntu already distributes this file in the secureboot-db package. I do not think that Ubuntu would want to enable updates of the revocation list via the fwupd package since revocations could in principle impact the bootability of the system (if the dbx update included a hash of Ubuntu's shim, or Ubuntu's signing key). dbx updates should be carefully managed in conjunction with updates to the bootloader itself, which the tighter coupling of a directly-managed native package gives us. I think similar reasoning would apply for Debian. -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. Ubuntu Developer https://www.debian.org/ slanga...@ubuntu.com vor...@debian.org
signature.asc
Description: PGP signature
